Building Your DLP Strategy & Process Whitepaper
Contents Introduction 3 DLP Planning: Organize Your Project for Success 3 DLP Planning: Clarify User Profiles 4 DLP Implementation: Phases of a Successful Project 5 Phase 1: Define Success & Freeze Project Scope 5 Phase 2: Identify Critical DLP User Profiles 5 Phase 3: Identify Sensitive Information & Business Requirements 5 Phase 4: Design & Manage DLP Policies 5 Phase 5: Fine-Tune Policies and Incident Management 6 Phase 6: Implement Awareness & Training Programs 6 Phase 7: Manage the Project & Track Progress 2
INTRODUCTION Forcepoint works with its clients around the world to develop effective strategies and processes for implementing data loss prevention (DLP) programs. Our extensive experience and technical expertise in this area of data security has led to our continuous industry leadership and product innovation to stop malicious or inadvertent data leakage. This guide provides you the key points you need to understand as you organize your DLP project, define key user profiles that affect your DLP strategy and roll out your DLP program at every phase of deployment. As you read, keep in mind these must-dos: Determine goals and objectives for your DLP program up front. As with all change initiatives, DLP programs should help achieve strategic business objectives and provide benefits in return for the costs incurred. Clear and measurable goals and objectives at the outset will ensure that the program is focused on protecting the data that is most important to the organization. DLP PLANNING: ORGANIZE YOUR PROJECT FOR SUCCESS Because DLP affects so many functions within an organization, you ll need to clarify roles and responsibilities across the workstreams detailed below. Building consensus about these workstreams at the outset will make it easier for your organization to implement and manage your DLP strategy. Program Management This team ensures that the work effort achieves the goals stated by the steering committee. Responsibilities include: Set and review objectives Oversee management of project scope and cost Address all aspects of People, Process and Product. As highlighted throughout this document, DLP revolves around the people, the processes and the technology products you use. It s critical to identify clear roles and responsibilities for individuals, create effective processes to detect and respond to incidents and configure your tools accurately to identify and prevent data loss. 1 PROJECT LEADERSHIP Program Management Steering Committee Establish ample executive support and participation. Active involvement from business and operating units across your organization will create more user acceptance of the transition toward a more secure environment. It will also ensure that business input is provided at key stages which is paramount for a successful DLP program. Define sensitive data. Implementing DLP technology and controls universally across an organization can have an adverse and costly impact on the business. By defining sensitive data up front and aligning the program to protect their most sensitive data, organizations can ensure that resources are deployed to manage the most important risks. Reinforce awareness for end users. In their day-to-day work, end users are mostly confronted by the limitations imposed by DLP. Without an awareness of the reasons behind additional security measures, employees will be more likely to seek work-arounds to bypass controls. Increased awareness also helps users take responsibility for classifying and protecting critical information and assets. Formally define and monitor the effectiveness of DLP controls. Once implemented, the DLP controls and their effectiveness in protecting your data assets should be monitored closely to drive a cycle of constant improvement. 2 3 PROJECT MANAGEMENT Quality Management Project Management Office PROJECT TEAM Change Management Functional Workstream Solution Workstream Infrastructure Workstream Steering Committee This committee should be headed by the Chief Information Security Officer (CISO) or Chief Information Officer (CIO) and include all important stakeholders in the project. Responsibilities include: Own and oversee implementation of the project s underlying strategies Define the project s connection to the enterprise s overall business plans and direction Provide and interpret policy Ensure participation of relevant business functions in the project Remove internal and external barriers to achieving the project s goals Review progress at set intervals to ensure alignment with the overall strategic vision 3
Quality Management Responsibilities include: Assess and review project requirements and activities for quality planning and controls Ensure adherence to project timelines Project Management Office Responsibilities include: Derive and manage the project plan Dynamically allocate and direct resources to ensure product deliverables, timeline and budget Review project progress and coordinate with business functions as required Change Management Responsibilities include: Control changes to the project plan Adapt and implement effective new operational changes required to make the project successful In many organizations, a single person carries out both the Functional and Solution workstreams: Functional Workstream To ensure its success, your DLP project needs representatives from relevant business functions within the organization who understand those critical business processes that deal with sensitive data. Primary responsibilities are: Understand business requirements from each business function Identify and document sensitive data from each business function Develop workflows for DLP policy creation and modification, and for incident management and remediation Solution Workstream These project members devise effective incident management and remediation frameworks, as well as structure metrics that allow stakeholders to understand progress made on the project, risks addressed by the strategy, the efficiency of incident management and so on. They should have deep technical knowledge of the DLP solution. Other responsibilities include: Analyze methods to detect sensitive data types Recommend best practices for data management Develop DLP policies based on business requirements Identify best practices for installation, administration and operation of the DLP solution Conduct training for business teams Infrastructure Workstream This function addresses technical deliverables relating to DLP system readiness, management, maintenance and support. They configure policies and perform operational tasks on the DLP solution itself. Other responsibilities include: Conduct technical trainings Manage technical issues Meet with operations team Generate reports Interact with vendor support team Create technical documentation DLP PLANNING: CLARIFY USER PROFILES For a DLP roll-out to be effective, it needs clearly defined roles for key participants, from line-of-business personnel to technical DLP specialists to end users. Understanding up front what the different roles are and what each of them does will help ensure the success of your DLP program. Business Function Lead This person should be knowledgeable about the critical business processes and data used within the business function that will be addressed by the DLP project. This individual will be involved in data identification and classification and DLP policy approval. After the project is complete, this member will continue to offer feedback on critical business processes and the data generated from them. DLP Consultant Functional & Solution Workstreams The person in this role will perform the functions stated under the Functional and Solution workstreams in the prior section. Often, it is a good choice to appoint the IT, security or risk specialist already responsible for the business function, as this person will need to combine understanding of business processes with knowledge of the DLP solution. They should also have basic IT knowledge covering file directories, databases, directory paths, network credentials and related topics, and they will benefit from quality and security audit certifications (e.g. for ISO 27001) as well. When the project is complete, the DLP Consultant will continue to adapt DLP policies as needed, working in concert with the DLP Product Administrator. DLP Product Administrator Infrastructure Workstream This team member usually from the IT Security organization must be capable of installing, administrating and supporting the DLP solution itself, which will require them to have completed DLP product training and to possess relevant IT knowledge. After the project is complete, this person will continue to write new policies and modify existing ones in the DLP product s management console as instructed by the DLP Consultant. 4
Business Function Incident Manager This member s role is to interpret, analyze, manage and remediate DLP incidents as they arise. In practice, this means reading reports generated by the DLP solution and determining whether a non-conforming incident merits further investigation or escalation to the Critical Incident Manager or other management. In carrying out this role, the Incident Manager must be familiar with the critical business processes of their business function, as well as have detailed knowledge of the organization s incident management and remediation framework. During the project, they will also review and comment on policies, workflows and metrics and assist with end-user training. Phase 3: Identify Sensitive Information & Business Requirements Even though it relies on advanced technology, DLP is ultimately a business strategy meant to reduce risks for your organization. That s why it s so important for DLP project stakeholders to hold discussions with Business Function Leads and Business Function Incident Managers about which information is critical for each business function and what the operational requirements are for implementing DLP. Critical Incident Manager This person likely the CISO, chief risk officer or DLP strategy owner must make the final decision on mitigation actions whenever a case of data leakage occurs. They will also manage any such incidents arising from the actions of the Business Function Lead, and the Business Function Incident Manager and other high-profile users. This member should have a strong background in security or risk operations, along with solid knowledge of the critical business processes of the organization. End Users During the project, the team should recruit personnel who are interested in being pilot users to provide feedback on DLP issues specific to each business function, and to participate in user acceptance testing (UAT). These pilot users should use the software applications and have the access privileges of typical end users. DLP IMPLEMENTATION: PHASES OF A SUCCESSFUL PROJECT You should enter into your DLP project with a commitment to using best practices that align People, Process and Product to achieve effective outcomes. As represented by the diagram, the ongoing challenge of data loss prevention implies a multiphase cycle, where the successful outcome of your current project feeds into the initiation of the next project perhaps by extending the DLP program to other business units. This section provides you with details for each phase. Phase 1: Define Success & Freeze Project Scope For a DLP project to work, it needs be built on well-defined criteria for success that will demonstrate value to stakeholders across the organization. Too many organizations make the mistake of trying to address data security needs of the entire enterprise through a DLP project, but then struggle to demonstrate value. While DLP should indeed connect to broader security objectives for example your approach to stopping insider threats your specific DLP project should be tightly defined, with objectives that can actually be measured and achieved. That s how you win buy-in across the organization, which is critical for long-term success. Phase 2: Identify Critical DLP User Profiles For your DLP strategy to be effective, the user profiles from the previous section of this paper need to be assigned to staff members who understand their responsibilities and have the resources they need to carry them out. Business stakeholders should share what they already know about the sensitive data that needs to be protected for their business function. To prevent scope creep, stakeholders might be asked to identify their top N types of sensitive information, where N is a number that fits within the agreed-upon scope for the DLP project. When Forcepoint engages with clients on planning DLP projects, we share sample data classification worksheets, templates and questionnaires to streamline the process. Ask if your DLP technology provider offers similar tools. Phase 4: Design & Manage DLP Policies During this phase, the team reviews data highlighted from every business function in Phase 3, engages the DLP Consultant and then derives policies to effectively identify that data. Your DLP tool will provide various data identifiers such as patterns, regular expressions, keywords, dictionaries, file attributes, fingerprints and machine learning algorithms. Once these data identifiers have been reviewed, you then must decide which of the identifiers needs to be used to identify the data accurately. Then you can configure DLP policies (initially in monitoring mode), capture them in a policy log and obtain approvals from relevant stakeholders. You should also define appropriate change management controls for raising and approving change requests. 5
Policy Management Process It s important to have a policy management process to ensure that new policies are created and managed effectively. That process should go something like this: 1. End User identifies that new sensitive data has been created, or that existing data has become sensitive. 2. Business Function Lead confirms that a new data leakage policy is needed and then sends the requirement for that policy to the DLP Consultant. 3. DLP Consultant translates the requirement into a new DLP policy based on the established framework, updates the DLP policy log and status files and sends the updated files to the DLP Product Administrator. 4. DLP Product Administrator writes the new DLP policies into the DLP solution s management console. The procedure for modifying an existing policy works much the same, except that it s initiated when an end user or Business Function Incident Manager determines that an existing policy is ineffective. Phase 5: Fine-Tune Policies and Incident Management This phase is crucial for creating an effective policy framework and configuring DLP policies in enforcement mode. It starts with understanding why DLP incidents occur, because not every data leak is either intentional or malicious. Leaks fall into four main types, and each is best addressed by a different strategy: Accidental Leak: At least 60% incidents arise from employee ignorance, when someone is unaware of the risks of sharing critical information. The remedy is employee education. Malicious Outsider: These arise when systems are infected with malware and attempt to exfiltrate data. The remediation strategy is to detect and remediate, identifying machines that are affected and then cleaning those machines. Intentional Non-Malicious: Unexamined business processes can foster intentional employee behaviors that are inadvertently risky from a data loss perspective. Your DLP project will bring visibility to these processes, opening the door to productive discussions with relevant leaders about improving business processes or fine-tuning DLP policies to accommodate those that have an acceptable level of risk. Malicious Insider: These occur when employees try to steal information or do harm to the organization by leaking it. These incidents can be detected only if your DLP solution provides the insight needed for profiling risky user behaviors, as Forcepoint s Insider Threat Data Protection solution does. It is critical that your organization have defined processes to deal with such high-risk incidents. With a clear understanding of these type of leaks, your project team should identify stakeholders with responsibility for security, risk, compliance, legal affairs, human resources and so on who need to take part in incident management and remediation processes, then create the workflows including escalation mechanisms relevant for those functions. Phase 6: Implement Awareness & Training Programs Awareness Your DLP solution can be used as a great tool to spread awareness about your organization s data security policies, and to understand high-risk users who violate DLP policies because of ignorance. Options for raising awareness include: Display pop-ups to end users when they are about to violate policy Send notification emails to end users (and optionally managers) after they have violated policy Allow users to enter a justification message before performing an action which may violate policy These awareness options can significantly reduce incidents triggered by end user negligence. DATA LEAK SOURCE ACCIDENTAL MALICIOUS OUTSIDER INTENTIONAL (NON-MALICIOUS) MALICIOUS INSIDER REMEDIATION STRATEGY EMPLOYEE EDUCATION DETECT AND REMEDIATE VISIBILITY RISKY USER BEHAVIOR PROFILING Training It s very important that a proper training program is in place for different DLP user profiles. Training should be given at regular intervals, with the following modules suggested for different types of users: Incident Management & Reporting Training Targeted for personnel that will access the reporting system to check alerts generated by the DLP solution. This training is relevant for Business Function Leads, Business Function Incident Managers, Critical Incident Managers and, optionally, DLP Product Administrators. System Admin & Maintenance Training Targeted for the IT personnel that will be responsible for maintaining the DLP solution from a technical perspective. DLP Product Administrators must attend this training before performing the responsibilities of that role. 6
Data Classification & Policy Training Targeted for personnel that will be creating new policies and modifying existing ones. This training is relevant for Business Function Leads, DLP Consultants, DLP Product Administrators and, optionally, Business Function Incident Managers. End User Training It s very important to keep end users aware of the processes that they must follow to make the DLP strategy successful for your organization. This training should be offered through online modules at least once per quarter. Phase 7: Manage the Project & Track Progress To ensure that your project is successful and that stakeholders understand its importance for the organization It s critical to use meaningful metrics that track how the DLP project is being executed. For instance, you want to know whether sensitive data is being copied to removable media such as DVDs or USB sticks. Your DLP solution monitors that activity and protects you from it, but it also keeps track of how often that type of activity happens and who attempts it. Over time, you will be able to see metrics for whether your DLP project, tied to an awareness program, is effective in reducing that risk. We recommend that you use at least the following reporting metrics: Weekly Reports to Business Function Leads and Business Function Incident Managers Monthly Reports to Senior Management Top policy category violations Top users and business processes that violate policies Reports with sample incidents highlighting business risks for each business function Policy violations per channel or application (USB, email, etc.) Risk reduction reports, based on the number of incidents per week By grouping incidents specific to each business, you can help stakeholders understand the relevant risks that the DLP solution and the overall DLP strategy are identifying and preventing for them. It s vital that you inform stakeholders about how the strategy reduces business risks so that they, in turn, will lead their teams to adopt more risk-averse behavior to maintain data security. When you have achieved that, you ll know your DLP program is a success. Top 10 endpoints/users violating the policy for each business function Top policy category violations Policy violations per channel or application (USB, email, etc.) Incident reports Incident status reports Incident trend reports CONTACT /contact ABOUT FORCEPOINT 2017 Forcepoint. Forcepoint and the FORCEPOINT logo are trademarks of Forcepoint. Raytheon is a registered trademark of Raytheon Company. All other trademarks used in this document are the property of their respective owners. [WHITEPAPER_BUILDING_DLP_PROCESS_ENA4] 200045.021317 7